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DISCLAIMER 



Standard disclaimer verbiage... 

• Everything said, showed, implied, etc. is not the 
opinion of our employers, friends, dogs.VMware, 
ShmooCon. etc. 



This disclaimer is not endorsed by our lawyers. 
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ABOUT US 



Justin Morehouse 



Assessment Lead (Q) Large Retailer in Southeast USA 



Controls 58.2% of the MacBook Pro flipping market on Craigslist 



Tony Flick 



Principal @ FYRM Associates 



Has never mistaken Hunts ketchup for Heinz ketchup.. .EVER! 
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WARNING 



What this presentation IS NOT: 

• day release - worked w/VMware 



A demonstration of rocket science 



What this presentation IS: 

• A reminder of the security implications of virtualization 



The culmination of 'sanity projects 
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TIMELINE 



Vulnerability identified on 5/ 1 4/09 
Reported to VMware on 5/ 1 5/09 
VMware responded on 5/2 1 /09 



CVE-2009-3733 reserved on 1 0/20/09 



VMSA-2009-00I5 released on 1 0/27/09 



b. Directory Traversal vulnerability' 
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IDENTIFICATION 



Originally identified onVMware Server 2.0. 1 build 1 56745 
(on Ubuntu 8.04) 

Thought to be localized to inside of NAT interface of Host (8307/tcp) 

Can steal VMs from within otherVMs... if NAT'd 

• Kinda cool, not really practical 

What we originally reported to VMware & submitted to ShmooCon 



but 
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DOESTHIS LOOK FAMILIAR? 




Login Name: 
Password: 



Log In 
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HOWABOUTTHIS? 





J 


VMware ESX Server 3 
Welcome 








Getting Started 


For Administrators 


If you need to access this host remotely, use the following program 

VMware Infrastructure Web Access 

to install VMware Infrastructure client software. After running the 

... *.•_♦ VMware Infrastructure Web Access 
installer, start the client and log in to this host. 

streamlines remote desktop deployment by 

• Download VMware Infrastructure Client allowing you to organize and share virtual 

machines using ordinary web browser URLs. 

To streamline your IT operations with VMware Infrastructure, use . . . ,,, . n 

' Log in to Web Access 

the following program to install VirtualCenter Server. VirtualCenter 

Server will help you consolidate and optimize workload distribution Web-Based Data store Browser 

across ESX Server hosts, reduce new system deployment time from Use your web browser to find and download 

weeks to seconds, monitor your virtual computing environment nles ^ Dr example, virtual machine and 

around the clock, avoid service disruptions due to planned" hardware virtual disk files). 

maintenance or unexpected failure, centralize access control, and ' B™w*e datastores in this host's inventory 

automate system administration tasks. ESX Server scripted Installer 

• Download VMware VirtualCenter Server Thi5 browser-based utility allows you to 

automate host provisioning. 
If you need more help, please refer to our documentation library: , ^ jn t0 the 5cripted InstaMer 

• VMware Infrastructure 3 Documentation For D eve | 0pers 
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VULNERABILITY 



Web Access web servers also vulnerable 



•Server (default ports 8222/8333) - ../ x 6 
•ESX/ESXi (default ports 80/443) - %2E%2E/ x 6 
No longer requires NAT mode / Remotely exploitable 
Not as straightforward as originally thought 
•Still trivial to exploit because... 
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IT'S GOOD TO BE ROOT 



Web servers are running as root = complete access 



ESX/ESXi 



Server 



root@esx:~#lsof - 
COMMAND PID 
vmware-ho 1 651 root 
vmwaro-ho 1 651 root 




TYPE DEVICE SIZE NODE NAME 
4 6693 TCP 'ihttps (LISTEN) 

v4 6694 TCP *;http (LISTEN) 



root@server:^ Isof / 8222,8333 
COMMAND PIDySER FD TYPE DEVICE SIZE NODE NAME 
vmwarc-ho 6363 root 6u IPv4 17272 TCP '8333 (LISTEN) 
vmware-ho 6863 root 7u IPv4 17273 TCP '8222 (LISTEN) 
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HOW IT WORKS ON SERVER 



Proxy used to redirect requests based on URL 
/etc/vmware/hostd/proxy.xml (includes mappings) 



/sdk = 8307/tcp 
/ui = 8308/tcp 



<eid="1"> 

<_ty p e>vi m . P roxy S e rvi ce , Loca I S e r vi ce S pe c</_ty pe> 

<accessMode>httpsWith Red irect</accessMode> 

<po rt>83 07</p o rt> 

<se r ve r N am es pace>/s d k</s erverNamespace> 
</e> 
<e id="2"> 

<_ty p e>vi m . P roxy S e rvi ce , Loca I S e rvi ce S pe c</_ty pe> 

<accessMode>httpsWith Red irect</accessMode> 

<port>8308</port> 

<se rve r N am es pace>/ j i</s e rve r N a me s p ace> 
</e> 
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HOW IT WORKS ON SERVER 



Web server on 8308/tcp is vulnerable, but will only serve 
certain filetypes (xml, html, images, etc.) 

Web server on 8307/tcp is also vulnerable, but serves ALL 
filetypes 

Simply append /sdkto our URL request and we've got 
complete access to Host filesystem (including otherVirtual 
Machines) 

ESX/ESXi - ALL web servers return ALL filetypes (no /sdk) 
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VULNERABLE VERSIONS 



Server 

• VMware Server 2.x < 2.0.2 build 203 1 38 (Linux) 

• VMware Server I .x < 1 .0. 1 build 203 1 37 (Linux) 



ESX/ESXi 

• ESX 3.5 w/o ESX350-20090 1 40 1 -SG 

• ESX 3.0.3 w/o ESX303-2008 1 2406-BG 

• ESXi 3.5 w/o ESXe350-20090 1 40 1 -l-SG 
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GUESTSTEALER 



Perl script remotely 'steals' virtual machines from vulnerable 
hosts 

Supports Server ESX, ESXi 

Allows attacker to select which Guest to 'steal' 



Utilizes VM ware configuration files to identify available 
Guests and determine associated files 
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VMINVENTORYXML 



/etc/vmware/hostd/vmlnventory.xml (default location) 
Gives us Guest inventory & location information 



<Conf igRoot> 

<ConfigEntry id-"0000"> 
<objID>48</objID> 
— ► <vmxCfgPath>/var/lib/vmware/Virtual Machines/ 



TenableAppliance-1 . . 3/TenableAppliance . vmx</vmxCf gPath> 
</Conf igEntry> 
<ConfigEntry id= ,l 0001 ll > 
<objID>80</objID> 

— ► <vmxCfgPath>/var/lib/vmware/Virtual Machines/Snort 



(Ubuntu 8.0.3>/Snort (Ubuntu 8.0.3) . vmx</vmxCfgPath> 

</Conf igEntry> 
</Conf igRoot> 
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GUEST .VMX&.VMDK 



.vmx pives us Guest config and file locations 



scsiO. present = "FALSE" 
scsiO.sharedBus = "none" 
memsize = "512" 
scsiO:0. present = "FALSE" 
scsiO:0.fileName = "Windows XP.vmdk" 
scsiO:0,writeThrough = "TRUE" 
etherneto. present = "TRUE" 



.vmdk (disk image) can point to other .vmdk images 



# Disk Descriptor File 
version=l 
encoding= r, LJTF-8" 
CID-b74fb48a 
parentCID-ffffffff 
c reat eType= rr monol ithi c F I a t ' 

# Extent description 
RW 20971520 FLAT "Windows XP-f lat . vmdk" 
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LIVE DEMO 
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MITIGATION STRATEGIES 



Patch, patch, patch 

• Hosts are an attractive target (compromise one = access many) 

Better yet. .Segment, segment, segment 



Segment management interfaces 



• Segment systems of different security levels 

• Don't share physical NICs between different security levels 

Virtualization is not always the 'best answer 
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QUESTIONS? 



GuestStealer available for download 




NAA/vw.fyrmassociates.com 



